In order to illustrate what this problem actually looks like in the code, I
have listed parts of the vulnerable code here. These listings are obviously
incomplete—these functions are way too long to be included in their entirety.
CVariableSet::AddExtensionControlBlock
The function that actually contains the overflow bug is CVariableSet::
AddExtensionControlBlock, which is implemented in idq.dll. Listing
7.2 contains a partial listing (I have eliminated some irrelevant portions of it)
of that function.
Notice that we have the exact name of this function and of other internal,
nonexported functions inside this module. idq.dllis considered part of the
operating system and so symbols are available. The printed code was taken
from a Windows Server 2000 system with no service packs, but there are quite
a few versions of the operating system that contained the vulnerable code,
including Service Packs 1, 2, and 3 for Windows 2000 Server.
idq!CVariableSet::AddExtensionControlBlock:
6e90065c mov eax,0x6e906af8
6e900661 call idq!_EH_prolog (6e905c30)
6e900666 sub esp,0x1d0
6e90066c push ebx
6e90066d xor eax,eax
6e90066f push esi
6e900670 push edi
6e900671 mov [ebp-0x24],ecx
6e900674 mov [ebp-0x2c],eax
6e900677 mov [ebp-0x28],eax
6e90067a mov [ebp-0x4],eax
6e90067d mov eax,[ebp+0x8]
.
.
.
6e9006b7 mov esi,[eax+0x64]
6e9006ba or ecx,0xffffffff
6e9006bd mov edi,esi
.
.
.
6e9007b7 push 0x3d
6e9007b9 push edi
6e9007ba mov [ebp-0x18],edi
6e9007bd call dword ptr [idq!_imp__strchr (6e8f111c)]Listing 7.2 Disassembled listing of CVariableSet::AddExtensionControlBlock from idq.dll.
(continued)
Auditing Program Binaries 263